[R-pkg-devel] Submission to CRAN when package needs personal data (API key)

Tue Sep 11 08:53:39 CEST 2018

> On 8 Sep 2018, at 22:47, Spencer Graves <spencer.graves using effectivedefense.org> wrote:
> 
> 
> 
> On 2018-09-08 14:02, Joshua Ulrich wrote:
>> Hi Rainer,
>> 
>> On Wed, Sep 5, 2018 at 2:28 AM, Rainer Krug <Rainer using krugs.de> wrote:
>>> Hi
>>> 
>>> I have a package at GitHub (https://github.com/rkrug/ROriginStamp) which I am
>>> pre[paring for CRAN.
>>> 
>>> It creates a trusted timestamp using the API fro OriginStamp
>>> (https://originstamp.org/home) which requires an API key. Now this API should
>>> not be made public, as to much traffic through one API key will lead to it’s
>>> blocking.
>>> 
>>> I have stored the key encrypted in the travis.yml, and the package passes all
>>> tests.
>>> 
>>> But if I send it to CRAN, it would fail the tests, as the api key is not in
>>> the package itself.
>>> 
>>> I could disable all tests for CRAN which need the API key, but I think it
>>> would be better tu run the tests there as well (as an additional check to
>>> travis).
>>> 
>>> My question:
>>> 
>>> Is there a way of storing the API key encrypted, so that only the CRAN test
>>> servers can decrypt it, or is there another way can steal with this?
>>> 
>> I have a similar issue with quantmod.  I need API keys to test some
>> functionality and I would like the tests run regularly, so I can know
>> when something breaks without having to wait for a user to report the
>> change.
>> 
>> I store the API keys in encrypted environment variable in TravisCI,
>> and I check for those environment variables before running the tests
>> that require them.
>> 
>> Then I added a cron job on TravisCI to run the build if there hasn't
>> been a build in the past 24 hours.  That solves the problem adequately
>> for my purposes without adding any burden to CRAN.  Hopefully it works
>> for your purposes too.
> 
> 
>       So those tests don't run if the required environment variables are not there?

Exactly - that’s how I am doing it at the moment.

> 
> 
>       Rainer's problem was getting a secure time stamp.  For his case, rather than skip the tests if the API keys were not there, one might take the time stamp from someplace else, perhaps with a note of the source of the time stamp.

Well - for the tests I don’t see much use in returning a canned reply if the API key is not present. It would just add a false sense of “working” if the API changes, which is one main point of the tests. So I’d rather skip the tests which require the API key when it is not set via an environmental variable. I am following Josh’s suggestion to run the tests on TravisCI via a cron job to do regular tests.

Thanks

Rainer

> 
> 
>       Spencer
> 
>> Best,
>> Josh
>> 
>>> Thanks,
>>> 
>>> Rainer
>>> 
>>> 
>>> 
>>> --
>>> Rainer M. Krug, PhD (Conservation Ecology, SUN),
>>> MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)
>>> 
>>> University of Zürich
>>> 
>>> Cell:       +41 (0)78 630 66 57
>>> email:      Rainer using krugs.de
>>> Skype:      RMkrug
>>> 
>>> PGP: 0x0F52F982
>>> 
>>> 
>>> 
>>> 
>>> ______________________________________________
>>> R-package-devel using r-project.org mailing list
>>> https://stat.ethz.ch/mailman/listinfo/r-package-devel
>>> 
>> 
>> 
> 
> ______________________________________________
> R-package-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-package-devel

--
Rainer M. Krug, PhD (Conservation Ecology, SUN), MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)

University of Zürich

Cell:       +41 (0)78 630 66 57
email:      Rainer using krugs.de
Skype:      RMkrug

PGP: 0x0F52F982

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://stat.ethz.ch/pipermail/r-package-devel/attachments/20180911/34e00fec/attachment.sig>